WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
23,902 Commits 50 Branches 749 Tags 981 MiB
Commit Graph

1234 Commits

Author SHA1 Message Date
Sergey Biryukov 1de6b1a3bd Grouped backports to the 3.7 branch. 
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on "Are you sure?" screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Comments: Apply kses when editing comments,
- Mail: Reset PHPMailer properties between use,
- Widgets: Escape RSS error messages for display.

Merges [54521], [54522], [54523], [54525], [54527], [54529], [54541] to the 3.7 branch.
Props voldemortensen, johnbillion, paulkevan, peterwilsoncc, xknown, dd32, audrasjb, martinkrcho, davidbaumwald, tykoted, matveb, talldanwp.

Built from https://develop.svn.wordpress.org/branches/3.7@54546


git-svn-id: http://core.svn.wordpress.org/branches/3.7@54101 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2022-10-17 17:41:41 +00:00
whyisjake 88dbf8b593 Backporting several bug fixes. 
- Query: Remove the static query property.
- HTTP API: Protect against hex interpretation.
- Filesystem API: Prevent directory travelersals when creating new folders.
- Administration: Ensure that admin referer nonce is valid.
- REST API: Send a Vary: Origin header on GET requests.
- Customizer: Properly sanitize background images.

Backports [46474], [46475], [46476], [46477], [46478], [46483], [46485] to the 3.7 branch.

Built from https://develop.svn.wordpress.org/branches/3.7@46505


git-svn-id: http://core.svn.wordpress.org/branches/3.7@46302 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2019-10-14 19:32:09 +00:00
Jeremy Felt a1d2eb2c85 Media: Improve verification of MIME file types. 
Merges [43988] to the 3.7 branch.

Built from https://develop.svn.wordpress.org/branches/3.7@44012


git-svn-id: http://core.svn.wordpress.org/branches/3.7@43842 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2018-12-12 23:50:09 +00:00
John Blackbourn 32bf48628e Media: Limit thumbnail file deletions to the same directory as the original file. 
Merges [43393] into the 3.7 branch.

Built from https://develop.svn.wordpress.org/branches/3.7@43405


git-svn-id: http://core.svn.wordpress.org/branches/3.7@43233 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2018-07-05 15:19:09 +00:00
John Blackbourn 9f7b91d4bc Hardening: Remove the ability to upload JavaScript files for users who do not have the `unfiltered_html` capability. 
Merges [42261] to the 3.7 branch.

Built from https://develop.svn.wordpress.org/branches/3.7@42315


git-svn-id: http://core.svn.wordpress.org/branches/3.7@42144 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2017-11-29 16:53:09 +00:00
Joe McGill 8d4f4a9a05 Media: Fix exif_imagetype check in wp_get_image_mime 
This is a follow up to [39831].

Merges [39850] to the 3.7 branch.

Built from https://develop.svn.wordpress.org/branches/3.7@39861


git-svn-id: http://core.svn.wordpress.org/branches/3.7@39798 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2017-01-11 16:46:22 +00:00
Joe McGill e6de513be6 Media: Improve image filetype checking. 
This adds a new function `wp_get_image_mime()` which is used by
`wp_check_filetype_and_ext()` to validate image files using
`exif_imagetype()` if available instead of `getimagesize()`.

`getimagesize()` is less performant than `exif_imagetype()` and is
dependent on GD. If `exif_imagetype()` is not available, it falls back to
`getimagesize()` as before.

If `wp_check_filetype_and_ext()` can't validate the filetype, we now return
`false` for ext/MIME values.

Merges [39831] to the 3.7 branch.

Built from https://develop.svn.wordpress.org/branches/3.7@39842


git-svn-id: http://core.svn.wordpress.org/branches/3.7@39780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2017-01-11 13:21:09 +00:00
Andrew Nacin 3d8c17a9c8 Fix a regression in wp_mkdir_p() where the $mode of the parent folder is not correctly applied to all created paths. 
Merges [26449] and [26927] from 3.8.x to the 3.7 branch.

props dd32.
fixes #25822.

Built from https://develop.svn.wordpress.org/branches/3.7@27887


git-svn-id: http://core.svn.wordpress.org/branches/3.7@27718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2014-04-01 04:02:10 +00:00
Andrew Nacin 8f0f48e3f9 Avoid a notice in is_main_network() when called in single site. see #25030. 
Built from https://develop.svn.wordpress.org/trunk@25827


git-svn-id: http://core.svn.wordpress.org/trunk@25739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-10-17 05:17:08 +00:00
Sergey Biryukov 336c737727 Correct phpdoc for wp_check_filetype_and_ext(). props dimadin. fixes #25513. 
Built from https://develop.svn.wordpress.org/trunk@25713


git-svn-id: http://core.svn.wordpress.org/trunk@25626 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-10-07 15:34:10 +00:00
Andrew Nacin d7fc6d5d49 Order search results by relevance, rather than by date. 
The ordering logic is as follows:
 * Full sentence matches in post titles.
 * All search terms in post titles.
 * Any search terms in post titles.
 * Full sentence matches in post content.

Each section and any remaining posts are then sorted by date.

Introduces some filters:
 * wp_search_stopwords, to filter stop words ignored in WHERE.
 * posts_search_orderby, to filter the ORDER BY when ordering search results.

props azaozz, wonderboymusic.
fixes #7394.

Built from https://develop.svn.wordpress.org/trunk@25632


git-svn-id: http://core.svn.wordpress.org/trunk@25549 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-27 17:34:09 +00:00
Dominik Schilling 32aff2db8a Add 'image' type/extensions to wp_ext2type() and make it case insensitive. props xparham. fixes #25176. 
Built from https://develop.svn.wordpress.org/trunk@25437


git-svn-id: http://core.svn.wordpress.org/trunk@25359 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-14 14:34:09 +00:00
Dion Hulse bbd3312389 Account for Windows and CLI instances in wp_guess_url(). Props SergeyBiryukov. See #25317 
Built from https://develop.svn.wordpress.org/trunk@25436


git-svn-id: http://core.svn.wordpress.org/trunk@25358 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-14 03:43:10 +00:00
Andrew Nacin 4542e678d2 Return false from wp_get_original_referer() if it is called before wp_validate_redirect() is defined. 
see #25294.

Built from https://develop.svn.wordpress.org/trunk@25400


git-svn-id: http://core.svn.wordpress.org/trunk@25331 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-12 13:36:09 +00:00
Andrew Nacin 46611d4282 Return false from wp_get_referer() if it is called before wp_validate_redirect() is defined. 
see #25294.

Built from https://develop.svn.wordpress.org/trunk@25399


git-svn-id: http://core.svn.wordpress.org/trunk@25330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-12 13:33:09 +00:00
Dion Hulse 641d3b2560 Fix wp_guess_url() to work in every scenario I could find, allows us to use it to determine the correct path to the WordPress Site URL before installation for install.php and setup-config.php redirects. Fixes #24480 Fixes #16884 
Built from https://develop.svn.wordpress.org/trunk@25396


git-svn-id: http://core.svn.wordpress.org/trunk@25327 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-12 06:57:09 +00:00
Helen Hou-Sandí 8359c66176 Indicate that the fall-through in `is_serialized()` is deliberate. fixes #24023. 
Built from https://develop.svn.wordpress.org/trunk@25371


git-svn-id: http://core.svn.wordpress.org/trunk@25321 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-12 03:41:09 +00:00
Dion Hulse ca008522f3 Add a set of helpers to turn the behaviour of mbstring.func_overload off when needed. Fixes #25259 
Built from https://develop.svn.wordpress.org/trunk@25346


git-svn-id: http://core.svn.wordpress.org/trunk@25308 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-11 07:23:08 +00:00
Andrew Nacin 1536779aaf Avoid error in ms-files.php after [25317]. 
Built from https://develop.svn.wordpress.org/trunk@25344


git-svn-id: http://core.svn.wordpress.org/trunk@25306 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-11 04:49:10 +00:00
Andrew Nacin 89c57124da Improve clarity and speed of [25320]. 
Built from https://develop.svn.wordpress.org/trunk@25338


git-svn-id: http://core.svn.wordpress.org/trunk@25300 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-11 03:23:08 +00:00
Scott Taylor 02757de9d8 Remove dead code in `add_query_arg()`. 
Props hakre, c3mdigital.
Fixes #16942.


Built from https://develop.svn.wordpress.org/trunk@25333


git-svn-id: http://core.svn.wordpress.org/trunk@25295 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-10 23:38:09 +00:00
Andrew Nacin a461a25d76 Loose validation for is_serialized() in maybe_serialize(). 
Built from https://develop.svn.wordpress.org/trunk@25320


git-svn-id: http://core.svn.wordpress.org/trunk@25282 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-10 18:10:09 +00:00
Andrew Nacin cf3fddde96 Validate referrers to prevent off-domain redirects. 
Built from https://develop.svn.wordpress.org/trunk@25318


git-svn-id: http://core.svn.wordpress.org/trunk@25280 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-10 18:07:10 +00:00
Andrew Nacin c8a7b53c65 Tighten allowed upload file types. 
Built from https://develop.svn.wordpress.org/trunk@25317


git-svn-id: http://core.svn.wordpress.org/trunk@25279 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-10 18:04:09 +00:00
Scott Taylor a563a5b2fa Replace the ancient `phpfreaks.com` RegEx to extract urls to ping with a more robust matcher. URLs with commas and things like `&` were not being pinged. The new matcher even works for most IDN URLs. Adds unit tests. 
Fixes #9064.


Built from https://develop.svn.wordpress.org/trunk@25313


git-svn-id: http://core.svn.wordpress.org/trunk@25275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-09-10 03:18:08 +00:00
Andrew Nacin 6a1ac52330 Be less verbose when erroring out in do_feed() for an invalid feed template. fixes #24874. 
Built from https://develop.svn.wordpress.org/trunk@25190


git-svn-id: http://core.svn.wordpress.org/trunk@25162 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-30 23:37:11 +00:00
Andrew Nacin 1fbc03a388 The main site of a secondary network should not use the original wp-content/uploads upload path. 
props jeremyfelt.
fixes #25030.

Built from https://develop.svn.wordpress.org/trunk@25148


git-svn-id: http://core.svn.wordpress.org/trunk@25127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-28 03:36:09 +00:00
Andrew Nacin 4d6d80a14f Introduce is_main_network(). 
By default, a network ID of 1 is assumed to be the main network.
Otherwise, it is the first network listed in the wp_site table.

If PRIMARY_NETWORK_ID is defined, it is considered main network.

props jeremyfelt.
see #25030.

Built from https://develop.svn.wordpress.org/trunk@25147


git-svn-id: http://core.svn.wordpress.org/trunk@25126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-28 03:35:08 +00:00
Sergey Biryukov c7de681a26 Add description for _wp_timezone_choice_usort_callback(). props neoxx. fixes #25125. 
Built from https://develop.svn.wordpress.org/trunk@25101


git-svn-id: http://core.svn.wordpress.org/trunk@25083 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-23 13:57:08 +00:00
Dion Hulse 5eb1c81924 Make use of the recursive option in mkdir() in wp_mkdir_p(). Avoids a bunch of silenced PHP Notices being logged. Fixes #23196 
Built from https://develop.svn.wordpress.org/trunk@25047


git-svn-id: http://core.svn.wordpress.org/trunk@25034 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-17 03:09:11 +00:00
Andrew Nacin 1065f55586 Add a function to return an empty string, for filters. props wpsmith, trepmal. fixes #20357. 
Built from https://develop.svn.wordpress.org/trunk@25037


git-svn-id: http://core.svn.wordpress.org/trunk@25024 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-16 20:02:08 +00:00
Ryan Boren acc0aec2b0 Silence is_dir() to avoud warning when upload_tmp_dir is outside open_basedir. 
Props dpash
fixes #24704


git-svn-id: http://core.svn.wordpress.org/trunk@24995 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-08-06 17:39:33 +00:00
Andrew Nacin 21a1fe8d4b Use wp_safe_remote_request() and friends instead of reject_unsafe_urls = true. 
fixes #24646.



git-svn-id: http://core.svn.wordpress.org/trunk@24917 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-31 06:52:13 +00:00
Michael Adams ec6f40342a Allow HTTPS URL enclosures. 
Props markjaquith with a patch that predates all WordCamps.

Fixes #2875.


git-svn-id: http://core.svn.wordpress.org/trunk@24810 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-28 19:07:43 +00:00
Andrew Nacin a70604d441 Add iWork formats to valid upload filetypes. key, numbers, pages. props barry, fixes #24621. 
git-svn-id: http://core.svn.wordpress.org/trunk@24782 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-23 15:29:26 +00:00
Ryan Boren cbf77c6523 Fire wp_auth_check_load() from admin_enqueue_scripts instead of admin_init so that it can access the current screen object. 
Black list the update and upgrade screens.

Allow plugins to white/black list screens via the wp_auth_check_load filter.

Props nacin

see #23295


git-svn-id: http://core.svn.wordpress.org/trunk@24738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-18 19:06:35 +00:00
Peter Westwood b58e828475 Fall back to non-translated strings in _deprecated_*() if the translation function doesn't exist. This may be the case in sunrise, for example. 
Fixes #24778 props SergeyBiryukov.


git-svn-id: http://core.svn.wordpress.org/trunk@24723 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-17 21:04:50 +00:00
Andrew Ozz b96efc779a Logged out warnings: 
- Replace the Close button with an always visible "X" icon in the top/right corner.
- Check if the user is still logged in every 3 min. by default.
- Add 'wp_auth_check_interval' filter so the interval can be set from PHP.
See #23295.

git-svn-id: http://core.svn.wordpress.org/trunk@24695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-12 23:32:32 +00:00
Andrew Nacin 740d141e1d Support IIS 8 and above. 
props hurtige for initial patch.
fixes #23533.



git-svn-id: http://core.svn.wordpress.org/trunk@24594 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-07-08 20:27:06 +00:00
Ryan Boren 419fea1a16 Normalize the UTF-8 and ISO-8859-1 charset strings stored in blog_charset to make them friendlier with PHP functions that accept a charset such as htmlspecialchars(). 
fixes #23688


git-svn-id: http://core.svn.wordpress.org/trunk@24510 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-06-25 19:03:17 +00:00
Andrew Nacin 96ee267343 Better validation of the URL used in core HTTP requests. 
git-svn-id: http://core.svn.wordpress.org/trunk@24480 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-06-21 06:07:47 +00:00
Andrew Nacin 7addff9967 Use correct variable order in add_query_arg(). This had mostly just filled error logs; it also broke some obscure URL situations. see #23284. 
git-svn-id: http://core.svn.wordpress.org/trunk@24444 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-06-19 08:33:10 +00:00
Andrew Nacin bb1234c4be Fall back to non-translated strings in _doing_it_wrong() if the translation function doesn't exist. This may be the case in sunrise, for example. 
props SergeyBiryukov.
fixes #23555.
for trunk.



git-svn-id: http://core.svn.wordpress.org/trunk@24439 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-06-19 08:11:59 +00:00
Andrew Ozz b1009b33c4 Logged out warnings: fix same domain comparison in wp_auth_check_html() when FORCE_SSL_LOGIN && ! FORCE_SSL_ADMIN. See #23295 
git-svn-id: http://core.svn.wordpress.org/trunk@24266 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-05-15 22:09:54 +00:00
Sergey Biryukov 74638ccb5a Fix typos in phpdoc. props TheLastCicada. fixes #24302. 
git-svn-id: http://core.svn.wordpress.org/trunk@24229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-05-10 01:39:30 +00:00
Andrew Ozz 19c3b4bfdc Logged out warnings: 
- Don't use <base> tag to set target="_blank". It can break form submission. Instead, set target only on links with JS.
- Fix same domain comparison in wp_auth_check_html() when FORCE_SSL_LOGIN == true.
- Properly show/hide the "Close" button when the dialog is shown multiple times.
See #23295

git-svn-id: http://core.svn.wordpress.org/trunk@24208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-05-08 22:45:58 +00:00
Mark Jaquith 0a49442e35 Multiple improvements to image post format insertion and display. 
* get_tag_regex() altered based on Unit Tests.
* Changes to post-formats.js to provide size and link context during image selection.
* Captions are now output in the_post_format_image() when present.
* The meta value for url is respected for the image post format when the HTML in the image meta doesn't include a link

props wonderboymusic. fixes #23965, #23964. see #24147, #24046.

git-svn-id: http://core.svn.wordpress.org/trunk@24066 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-04-22 22:11:42 +00:00
Andrew Ozz bcb9eef7cd Logged out warnings: fix phpdoc, props ocean90, see #23295 
git-svn-id: http://core.svn.wordpress.org/trunk@23922 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-04-05 23:28:40 +00:00
Andrew Ozz 04c5aefbea Logged out warnings: add fallback text dialog for: 
- The login page has "X-Frame-Options: DENY" header.
- Cross-domain when displaying on the front-end on multisite with domain mapping.
- The site forces ssl login but not ssl admin.

Add onbeforeunload prompt to counter (frame-busting) JS redirects. Move the JS and CSS into separate files. See #23295.

git-svn-id: http://core.svn.wordpress.org/trunk@23805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-03-27 08:43:11 +00:00
Ryan Boren 9f44cb4038 Remove old phpdoc that incorrectly marks wp_timezone_choice() as temporary. 
Props danielbachhuber
fixes #23804


git-svn-id: http://core.svn.wordpress.org/trunk@23738 1a063a9b-81f0-0310-95a4-ce76da25c4cd
 2013-03-18 13:35:34 +00:00